HIPAA Business Associate Agreement for Chiropractors
By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read
Key Takeaways
- ✓ Chiropractic practices are HIPAA covered entities — solo or group, same obligations apply
- ✓ EHR platforms (ChiroTouch, Genesis, Jane App), billing companies, and imaging systems all require BAAs
- ✓ IT support providers with remote access to your systems are business associates under HIPAA
- ✓ Missing a BAA is a direct violation of 45 CFR § 164.504(e) — OCR has cited small practices
Chiropractic practices often rely on a multi-vendor ecosystem — separate platforms for scheduling, clinical documentation, digital imaging, and billing — and each of those relationships creates a HIPAA BAA requirement. Unlike a solo medical practice that might use a single integrated EHR, chiropractors frequently mix systems from different vendors, making it easy for BAA gaps to appear.
Why Chiropractors Are Covered Entities
Under HIPAA, a covered entity includes healthcare providers who transmit health information electronically in connection with any transaction covered by HIPAA's Transactions Rule. Chiropractic offices that submit insurance claims electronically — directly or through a billing company or clearinghouse — meet this definition.
Covered chiropractic providers include:
- Solo chiropractors with a single-provider practice
- Multi-provider chiropractic clinics
- Chiropractors within integrated wellness practices
- Chiropractic practices within DSO-style group structures
A chiropractor who only accepts cash and never submits insurance claims may have an argument that they are not a covered entity — but this is rare, and any practice that uses billing software that submits electronic transactions is almost certainly covered.
What PHI Does a Chiropractic Practice Handle?
PHI in a chiropractic context includes any individually identifiable health information, such as:
- Patient names, dates of birth, addresses, and contact information
- SOAP notes, treatment plans, and clinical progress notes
- X-ray and digital imaging files linked to patient identities
- Insurance information and claim submission records
- Appointment and scheduling records that link a person to your practice
- Referral letters and coordination of care documents
Every vendor whose system stores, processes, or transmits any of the above requires a signed BAA before you share that data.
Vendors Chiropractic Practices Typically Need BAAs With
Chiropractic EHR and Practice Management Software
ChiroTouch, Genesis Chiropractic Software, Jane App, ECLIPSE, and Platinum System are among the most widely used platforms. Each of these holds patient clinical records, treatment notes, and billing data. All reputable chiropractic EHR vendors offer BAAs — but you must actively request or execute the agreement. Simply purchasing a subscription does not automatically create a signed BAA.
Billing Companies and Clearinghouses
If your practice uses an outside billing company to submit claims, or a clearinghouse to transmit electronic claims to payers, those companies are business associates. They receive patient names, dates of service, CPT/ICD codes, and insurance IDs — all PHI. Request a BAA before sending the first claim, and retain executed copies in your compliance records.
Digital X-Ray and Imaging Systems
Chiropractic practices routinely take X-rays during initial patient assessments. When digital X-ray systems store images on cloud servers or allow remote access, the software vendor and the cloud infrastructure provider become business associates. Even local PACS (picture archiving and communication systems) may require BAAs if they transmit data outside your office network.
Appointment Scheduling and Patient Recall Platforms
Online scheduling tools and patient recall reminder systems that link a patient's name to your practice name qualify as handling PHI. Platforms like Jane App's scheduling component, Acuity Scheduling (when used with health-related data), or dedicated recall systems all require BAAs.
IT Support and Managed Service Providers
Any IT provider with remote access to your systems — even for routine maintenance — is a business associate if those systems contain patient records. This is one of the most commonly missed BAA requirements in small chiropractic practices. The vendor's claim that they "don't look at" patient data does not change their HIPAA status; their potential access to PHI is what matters.
Cloud Backup and Storage Services
If your patient records are backed up to cloud storage (Google Workspace, Microsoft 365, Dropbox Business, Carbonite), those platforms must have signed BAAs with your practice. Consumer-grade accounts for these services typically do not include BAA provisions — you need a business-tier account with a signed BAA addendum.
The Multi-Vendor Risk in Chiropractic Practices
A distinctive risk for chiropractic offices is the tendency to use separate best-of-breed tools rather than a single integrated platform. When your EHR is one product, your imaging system is a second, your billing is handled by a third-party company, and your IT is managed by a fourth vendor, each relationship requires its own BAA. It is common for practices to have a BAA with their EHR vendor but not with their imaging vendor, billing company, or IT provider.
To close these gaps, conduct a vendor audit: list every external company that can access patient data, and confirm that a signed BAA exists for each one. See our guide on when you need a HIPAA BAA and how to check whether your vendor signs a BAA for a step-by-step approach.
BAA Requirements for Solo Chiropractors
Solo chiropractors sometimes assume that their small practice size creates an exemption or reduced obligation under HIPAA. It does not. HIPAA's BAA requirements under 45 CFR § 164.504(e) apply equally to a one-provider chiropractic office and a twenty-location group practice. The HHS Office for Civil Rights has investigated and fined small healthcare providers — including solo practices — for missing BAAs.
If anything, solo practices face greater risk because they often lack a dedicated compliance officer to track vendor agreements. Building a simple vendor log that records each BAA, the date it was signed, and where the document is stored is a practical way to manage this obligation.
Common Vendor BAA Table for Chiropractors
| Vendor Type | Example Vendors | BAA Required? |
|---|---|---|
| Chiropractic EHR / PM | ChiroTouch, Genesis, Jane App, ECLIPSE | Yes |
| Billing company | Outsourced billing firms, ChiroFusion billing | Yes |
| Clearinghouse | Availity, Change Healthcare, Office Ally | Yes |
| Digital X-ray / imaging | Carestream, Konica Minolta, Philips | Yes (if cloud-connected) |
| IT support / MSP | Local IT provider, remote support firm | Yes |
| Cloud backup | Microsoft 365, Google Workspace Business | Yes |
| Patient scheduling | Jane App, NexHealth, Acuity (health context) | Yes |
Generate a compliant BAA in 5 minutes
HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word
No subscription · PDF + Word · Free watermarked preview
Frequently Asked Questions
Do chiropractors need a HIPAA Business Associate Agreement?
Yes. Chiropractic practices are HIPAA covered entities because they are healthcare providers who transmit health information electronically in connection with standard transactions such as insurance claims. Every vendor that creates, receives, maintains, or transmits PHI on behalf of a chiropractic practice must sign a BAA under 45 CFR § 164.504(e).
What software vendors require BAAs for chiropractic practices?
ChiroTouch, Genesis Chiropractic Software, Jane App, ECLIPSE, and Platinum System all provide BAAs. You also need BAAs with your billing company or clearinghouse, your digital imaging vendor (if cloud-connected), your IT support provider, and any cloud backup or patient communication platform you use.
Does a solo chiropractor need HIPAA BAAs?
Yes. HIPAA does not exempt small or solo practices from the BAA requirement. A solo chiropractor using cloud-based practice management software or an outside billing company has the same obligations as a large multi-provider group. The HHS OCR has pursued enforcement actions against solo providers for missing BAAs.
Does a chiropractic imaging system require a BAA?
Yes, if the imaging system stores images in the cloud or allows remote access and those images can be linked to identifiable patients. Most modern digital X-ray and CBCT vendors with cloud storage components offer BAAs. Contact your imaging vendor's compliance team to request one if you haven't already signed one.
More Specialty BAA Guides